Hi,I don't really know IIS all that well so I'm going to be a little faceious. Have you read the logs? There ought to be an error message explaining the HTTP 500 status codes. Are you sure your version of IIS is vulnerable to that particular attack? Are you sure the attack has not succeeded?

hmmm... it seems that our testbox was vulnerable to only certain extended unicode combinations. (like %c1%1c and %c1%9c, for example)

anyone have any ideas why?I will also look further into this.

BTW, i used the ever popular "cmd.exe?/c+dir" thing... just neglected to include it in the previous post. (sorry 'bout that, Dean) in the meantime, we're still tinkering with the testbox. thanks again, guys!